“Zoom’s security nightmare just got worse after its recent
announcement that end-to-end encryption would be for paid users only. But
here’s the reality. Let’s face it—there
aren’t many people who haven’t used Zoom over the past few months during the
COVID-19 crisis.
“It’s
no surprise that Zoom’s seen such a massive a surge in users, but with this rise, the video chat app has
also become a target for Zoom bombers, privacy issues have come to the foreground, and security researchers have unveiled some pretty
serious vulnerabilities.
“During this time, Zoom has become a bit like
marmite: You either love it as it’s a great feature-rich service that is
clearly trying to improve under huge strain—or you hate it because you think
its security faults are intentional and unfixable. ‘Zoom is malware,’ some security industry experts say.
“It’s
fair to say this situation has been a nightmare for Zoom. It’s come under
pressure to stop Zoom bombers—a recent incident saw a church’s bible class hijacked by uninvited
guests sharing child pornography—and
now people are seriously angry after CEO Eric Yuan confirmed on its earnings
call that end-to-end encryption will be for paid users only.
“At first, this sounds insane. Why make the gold
standard of encryption—which means no one can access your meetings or chats,
even Zoom or law enforcement—only available to those who pay? Why can people
get this for free on Apple’s FaceTime, and Signal, but not on Zoom?
Delving deeper into Zoom’s
end-to-end encryption decision
“But
actually, if you delve deeper, Zoom’s reasoning behind this is clearer. First,
you lose a lot of functionality if you make Zoom end-to-end encrypted. There
are no more dial ins to calls, so you can’t join by phone, and you also lose
features like cloud recordings and streaming to YouTube.
“Plus,
remember that Zoom’s main competitors don’t have end-to-end encryption:
Microsoft Teams, Blue Jeans, Google Meet, Cisco Webex (although Webex has e2e
for some enterprise users too).
“Then
there’s the big issue—Zoom bombing. This affliction affects other services such
as Houseparty, but none have become a target for this as much as Zoom. Zoom
bombing incidents are also pretty high profile; they don’t make Zoom look good
and law enforcement is often involved, especially when it comes to child
exploitation.
“The
video conferencing service has tried to stop Zoom bombing through some major security upgrades
and its ‘Report a User’ feature, but allowing criminals such as
those sharing abusive images to further hide on the platform is just not
feasible.
“As
former Facebook CSO and now Zoom consultant Alex Stamos took to Twitter to
explain on a thread:
‘Zoom is dealing with some serious safety issues. This creates a difficult
balancing act for Zoom, which is trying to both improve the privacy guarantees
it can provide while reducing the human impact of the abuse of its product.’
Here’s the reality
“Another
defender of Zoom’s decision to only offer end-to-end encryption to paid users
is Ben Thompson, analyst and author of business blog Stratechery, which provides a good explanation
of the Zoom earnings call comments. Yuan doesn’t want paid users to pay for
end-to-end encryption; he thinks it should be available for everyone, but the
platform’s functionality will also be killed by it. It’s a trade-off. In
fact, it seems that much of Zoom’s earnings call end-to-end encryption
discussion has been misinterpreted as ‘Zoom wants to share your chats with the
FBI.’
“So,
here’s the reality: Zoom has a PR problem that began as security and privacy
issues hit during lockdown and as it tries to pick up the pieces, it’s in
danger of getting stuck in a nightmare it can’t escape. After a brief
stay, the end-to-end encryption debate has brought out the Zoom haters once
again. How Zoom reacts now is crucial—the firm needs to be clearer in
explaining what it’s doing and why, or people’s trust will be eroded even more”
(Forbes).
In
response to this article, Zoom sent me a statement which reads:
“Zoom has engaged with child safety advocates, civil
liberties organizations, encryption experts, and law enforcement to incorporate
their feedback into our plan. Finding the perfect balance is challenging. We
always strive to do the right thing.”
Zoom security tips:
ReplyDeleteJoin Zoom meetings through your web browser rather than using the Zoom desktop software. The web browser version gets security enhancements faster.
"The web version sits in a sandbox in the browser and doesn’t have the permissions an installed app has, limiting the amount of harm it can potentially cause," notes information-security company Kaspersky.
When you click a link to join a meeting, your browser will open a new tab and prompt you to use or install the Zoom desktop software. But in the fine print, there's a link to "join from your browser." Click that instead.
If you are hosting a Zoom meeting, ask that meeting participants sign in with a password. That will make Zoom-bombing much less likely.
Zoom creates a huge "attack surface" and hackers are going to come at it every way they can. They've already registered lots of Zoom-related phony domains and are developing Zoom-themed malware.
The upside is that if lots of flaws in Zoom are found and fixed right away, then Zoom will be the better -- and safer -- for it.
"Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."
https://www.tomsguide.com/news/zoom-security-privacy-woes